Feature BGP, the Border Gateway Protocol, was not designed to be secure. It was designed to work – to route packets between the thousands of autonomous systems that make up the internet, quickly and at scale.
For four decades, it has done exactly that. It has also, throughout those four decades, been exploited, misconfigured, and abused in ways that were predictable from the start. Route hijacks reroute traffic through hostile networks. Route leaks knock services offline. Nation-state cyber crews weaponize BGP to intercept communications at scale. These are not theoretical threats. They are documented, recurring events, and they remain possible today for one simple reason: BGP has no native way to verify that a network claiming to own a block of addresses actually does.
A series of patches and extensions like Resource Public Key Infrastructure (RPKI), BGPsec, and RPKI-based Route Origin Authorization (ROA) have been layered over the original protocol in an attempt to address the worst of these vulnerabilities. They help at the margins. They do not solve the underlying problem.
There is, however, a system that does, or at least claims to. SCION, which stands for Scalability, Control, and Isolation On Next-Generation Networks, is an internet routing architecture developed at ETH Zürich. Unlike the patches applied to BGP, SCION does not attempt to retrofit security onto a 40-year-old foundation. It replaces the foundation entirely. That redesign is the life's work of Adrian Perrig, professor of computer science at ETH Zürich and the principal architect of SCION.
Perrig has been worrying about internet security since 1991, when he first worked with Cisco routers before starting his bachelor's degree at EPFL. He has spent most of the intervening years trying to make the internet more secure. Eventually, he concluded it was the wrong approach. "You cannot bolt on security," says Perrig. "You cannot get to a truly secure global network unless you actually change the design. It's like saying you want to go to the Moon, so let's put rocket boosters on an airplane. No, you have to design the vehicle differently."
Perrig launched SCION in 2009 after gaining tenure and the freedom to pursue something most of his colleagues told him was career suicide. His core frustration was simple: the same vulnerabilities had been documented since the 1980s, and nobody had tried to fix them at the architectural level. "The best security companies in the world are still being exploited through them," he says. "There has not even been an attempt to address them properly."
Kevin Curran, a cybersecurity professor at Ulster University who has been teaching computer networks for 27 years, offers an independent assessment that lands in the same place. The internet, he says, was built without security in mind, and what followed was a succession of workarounds. "What we have had over 40 years is a series of Band-Aids," says Curran. "Nothing has come close to addressing the need for truly secure paths across an adversarial network."
Perrig's metaphor for the current state of internet security is a boat full of holes: people run around with buckets, throwing water out and plugging gaps, but the hull remains compromised. Security today, he argues, works the same way: patches get applied, vulnerabilities get closed, and new ones open up elsewhere. SCION, in his framing, is a fundamentally redesigned vessel. Water might splash in from outside, but it doesn't pour through structural gaps.
To understand what SCION actually does differently, it helps to understand what BGP gets wrong. In today's internet, there is no cryptographic chain of custody for a packet's journey from source to destination. And if a network somewhere along the path fails, the rerouting process – which involves detecting the failure, finding a new path, establishing a new session, and reconciling in-flight transactions – can take minutes.
SCION addresses this problem through three interlocking mechanisms. The first is multi-path routing. Where today's internet offers a single path between two points, SCION establishes tens or even hundreds of parallel paths simultaneously. If one fails, the system reroutes within milliseconds. Perrig is precise about the threshold: "Human reaction time for auditory stimulus is roughly 150 milliseconds, and for visual, it's 250 milliseconds. When outages are on the order of milliseconds, the human brain cannot notice it. That's how fast SCION switches."
The second mechanism is isolation domains – ISDs in SCION terminology. Rather than relying on a small number of global trust anchors, or a sprawling ecosystem of over a thousand certificate authorities that all must be trusted simultaneously, SCION lets countries, regions, or organizations define their own local trust roots. An error or compromise in one isolation domain cannot propagate to another. Perrig offers a concrete historical example: an entity in Australia made a configuration mistake that caused ATMs across France, Norway, and continental Europe to fail simultaneously. That kind of cascading failure is structurally impossible in a SCION network.
The third mechanism is cryptographic path validation. Every router along a SCION path provides a cryptographic signature. Packets cannot be silently rerouted through a network that wasn't part of the agreed path. The sender and receiver specify which paths they want to use, and those choices are enforced at the protocol level.
Curran, who has no stake in SCION's commercial success, independently validates these technical claims. The isolated domains and cryptographic signing, he says, are the core of what makes the protocol meaningful: "A genuine attempt to give senders and receivers control over the path their data takes, rather than leaving it to intermediate routers whose behavior cannot be verified."
Fritz Steinmann has spent 30 years as a network engineer in the Swiss financial sector. Since 2009, he has worked for SIX Group, the operator of the Swiss Stock Exchange, Swiss securities clearing, and – critically – the interbank payment infrastructure used by around 120 Swiss financial institutions. In 2015, his management asked him to develop a replacement strategy for Finance IPNet, the 20-year-old MPLS network that connected those institutions. "Interbank clearing in Switzerland is around 220 billion Swiss francs per day," Steinmann says. "So it's not an option to fail, yet I had to give up, because there was no alternative."
The options were unappealing. The public internet was not acceptable to Swiss banks for transaction settlement. SD-WAN required either a single operator – politically impossible given the multiple carriers already involved – or proprietary vendor lock-in that no one wanted. Steinmann first encountered SCION in 2017 through a partnership between SIX and ETH Zürich. He approached it with the skepticism of someone who had seen academic network projects fail to survive contact with operational reality. "Academia and industry usually don't fit so well together," he says. "They do great things but then usability is the challenge. However, what Adrian told us was really an eye-opener. It was the first time somebody had something that did not just make sense from an academic point of view, but where I immediately also saw real-world applications."
The Swiss National Bank (SNB) had already been using SCION for some internal use cases. Given that SCION was being asked to carry payments settled between commercial banks and the central bank, this was a significant signal. In 2019, SIX and SNB joined forces to design what would become the Secure Swiss Finance Network (SSFN). It would take two years of security assessments, governance design, and testing before the network was ready.
Building the SSFN turned out to be as much a governance project as a technology project. The network needed to admit banks, exclude miscreants, and handle the issuance of short-lived certificates, valid for three days to allow rapid revocation if a participant is expelled. It also needed to operate its own certificate authority (CA). No commercial CA was willing to take on the risk. The challenge wasn't technical, Steinmann explains. It was about process. How do you verify that UBS is actually UBS? How do you quantify the liability if you get it wrong? No existing CA had answers, so SIX built its own and has been running it in production for five years now.
SCION's Trust Root Configuration – the mechanism for encoding which entities are permitted to participate and under what conditions – embeds the governance decisions of the network's voting members into the cryptographic foundation itself. The rules about who can join, and when they can be expelled, are not policies in a database. They are enforced by the protocol. Steinmann notes, with some satisfaction, that enforcement has already been exercised.
Performance metrics, when they arrived in testing, exceeded expectations. When a carrier failed, the old Finance IPNet required a sequence of steps – detection, failover, path discovery, reconnection, authentication, session re-establishment, transaction reconciliation – that could take three to four minutes in total. During SSFN testing, Steinmann conducted a carrier shutdown exercise. He had asked his team to stand by before shutting down one of the network providers. Before he could give the signal, his colleague reported back: Oh, I already did it. I thought you had given the go-ahead. "We didn't notice a thing," Steinmann says. "Failover had been below one millisecond. Applications had no awareness that the underlying network topology had changed entirely." The SSFN went live in November 2021. In September 2024, Finance IPNet began its sunset. The old infrastructure, which had run for 20 years, is being phased out.
So SCION works. The evidence is not a vendor whitepaper or a lab proof of concept. It is 220 billion Swiss francs settled daily on infrastructure that replaced a network Swiss banks trusted for two decades, with the predecessor in the process of being phased out. Then why, nearly nine years after first production deployment, has it not spread beyond Switzerland at scale?
The barriers are several, and they compound each other. The first is standardization. BGP is an IETF standard. SCION is not. An IETF Independent Stream RFC is in progress – a formally published informational document that sits outside the IETF standardization track. Full standardization through the IETF working group process has not yet begun. For large organizations, that distinction matters. Deploying a protocol before it is standardized means accepting the risk that implementations diverge, that the eventual standard requires costly changes, or that the protocol never achieves the critical mass that would make standardization meaningful.
The second is the chicken-and-egg problem inherent in any network technology. Nobody wants to be first. The pain of running traditional networks – the latency spikes, the route hijacks, the three-minute failover windows – is, as Steinmann puts it, known and bearable. Organizations have adapted to it. "We have gotten a bit numb," he says. "We are OK with the way it works, and not really thrilled to see the advantages of a new foundation."
The third barrier is vendor concentration. A single company, Anapaya – a spin-off of ETH Zürich that packages SCION into deployable network products for carriers and enterprises – currently provides the only commercial implementation. Steinmann is frank about the catch-22 this creates. Cisco has told him directly that if SCION isn't a $20 billion business, they're not interested. But it cannot become a $20 billion business without companies like Cisco.
The fourth barrier is the most fundamental, and the one Steinmann returns to repeatedly. Infrastructure renewal is psychologically different from other kinds of technology adoption. Nobody notices when it works. Everyone notices when it fails. And the effort of replacing something that is, by most metrics, still functioning is almost impossible to justify to a board focused on the house rather than its foundations. "When was the last time you renewed your house foundation?" Steinmann asks. "You don't. You would tear down the house first. But what we're doing here is renewing the foundation without tearing down the house."
Perrig's view of adoption timelines is optimistic. He believes that within three to five years, SCION will be embedded in the fundamental network libraries used by thousands of applications – meaning developers won't need to think about it, it will just be there. ISPs in Benelux are already offering SCION connectivity. Some customers are switching providers specifically because their current ISP doesn't offer it. Perrig describes a self-reinforcing flywheel beginning to turn. "Two years ago I wouldn't have said this confidently," he says. "Now I can see it. I'm confident in five years, but hopefully three."
Steinmann is more measured. He credits Perrig's optimism as necessary – without it, the project would never have reached this point – but does not share the timeline. "He's endlessly optimistic, which is necessary," says Steinmann. "But I have my doubts, because of the slowness of adoption and the willingness of people to experiment. The willingness to adopt something new that is unknown is just not there."
Curran, approaching SCION from the outside, offers what may be the most useful framing. The technology is sound, its architecture addresses real weaknesses, and whether SCION itself becomes the dominant protocol or seeds a closely related successor matters less than the direction of travel. What would accelerate adoption, he suggests, is not incremental evidence but a sufficiently dramatic failure of the existing infrastructure. "If we see nation-states doing attacks which reroute traffic and take down national infrastructure – acts of war at the low level in the network, something where SCION would have provided the solution – then it will quickly be adopted," Curran says. "We have to see how state-sponsored attacks work in the next year or so. That would be the prime mover."
SCION is increasingly discussed in the context of European digital sovereignty. Its architecture has obvious relevance to that project. Isolation domains allow countries or regions to define their own trust roots, independent of US-based certificate authorities. The theoretical kill switch that a hostile state actor might pull on conventional internet routing does not exist in a well-designed SCION deployment.
Perrig is deliberately careful with the sovereignty framing. He prefers the term optionality – the freedom to choose which paths to use, which trust roots to rely on, which networks to connect to – and resists the political weight that comes with sovereignty language. He is not wrong to be careful. The sovereignty framing overpromises what network architecture alone can deliver.
Steinmann uses the sovereignty language directly, but without prompting introduces the caveat that most sovereignty advocates leave out. "Yes, it is a sovereign alternative, there is no central kill switch beyond your own jurisdiction's capabilities," he says. "But the same controllability could be misused by totalitarian approaches to government. It's then fully controllable. It will help reduce dependencies on allies who might turn evil. But it could also be misused as a weapon against a free internet. That's the drawback, and I won't judge what's better."
Curran adds a constraint that is architectural rather than political: any network that wants to have value must interconnect globally. A sovereign SCION deployment that cannot route traffic to the rest of the internet is not a useful network. The technology enables meaningful control over path and trust, but it does not deliver sovereignty automatically or completely – and it doesn't pretend to.
What SCION does offer – and what Switzerland has demonstrated in production – is a network in which operators know precisely whom they are trusting, where their traffic is going, and what the conditions are for participation. That is a form of control the public internet does not provide, regardless of what sovereignty framework you attach to it.
The gap between what SCION can do and what it is currently used for is not, at its core, a technical problem. The technology has been validated under conditions most infrastructure operators will never face. The governance framework required to run it has been designed, tested, and operated at scale. The old network it replaced has been turned off. Not paused. Turned off.
What has not happened is the leap from Switzerland to the rest of the world. SCION's deployment model – build the governance first, get the key parties committed, define the trust roots, enforce the rules – is precisely the kind of process that works in Switzerland and struggles almost everywhere else.
Whether standardization, the European digital sovereignty agenda, or a sufficiently serious BGP incident changes that calculation remains, for now, an open question. Steinmann's final point was simple: nobody thinks about foundations until they crack. He is right that nobody renews a house foundation without being forced to. He is also right that it can be done without tearing the house down. Whether that is a reason to act now, or to wait until the structure starts to shift, is a decision the rest of the world has not yet made. ®
Source: The register